feat(ci): add periodic and ad hoc vulnerability scan #245
Conversation
|
This is how the report and workflow looks like in my private fork https://github.com/fhrbata/idf-extra-components/actions/runs/6309525206/job/17129607763 |
|
Thanks for adding this! One question: how will this action notify us if it finds any vulnerabilities? |
|
@mahavirj The command exits with But I have very limited experience with github, so may it's somehow possible and I just don't know how. One quick thought is that maybe we can store some email address in secrets and explicitly send the report to that address if the check fails(finds some new vulnerability) |
|
I might also suggest that we set up a simple webhook in Mattermost, so that when the action fails, it notifies us on some channel. |
|
@igrr Thank you very much for the suggestion. IIUC we would set up an incoming webhhok in mattermost and use e.g. mattermost notify action in the workflow to post a message into the mattermost channel if the workflow fails or am I missing something? Thank you |
|
@igrr I guess we would like to use something like this in GL also, so maybe just sending the msg from the jobs with curl would be enough. Do you want this to be handled as part of this PR or can it be handled in a follow-up PR? |
|
@mahavirj Would some mattermost channel work for you as a source for the notifications? Thank you |
|
@fhrbata Yeah, that sounds good to me. |
fhrbata
force-pushed
the
feature/cpe_check
branch
from
86c66a9
to
c1fc55a
Compare
fhrbata
force-pushed
the
feature/cpe_check
branch
2 times, most recently
from
9a3764c
to
933305a
Compare
|
Hi @mahavirj I needed to update this PR, but now it should be hopefully all set. I tested both cases(ok, failed) in my private fork and the testing mattermost channel. The |
esp-idf-sbom allows to scan whole repository/directory for all possible manifest files(idf_component.yml, sbom.yml and its referenced manifests, .gitmodules) and check them for possible vulnerabilities based on the cpe variable in manifest. This adds scheduled scan at every midnight and also ad hoc(dispatch workflow) allowing to scan on demand. Simple message with overall status and job link is sent to mattermost channel via webhook specified with MATTERMOST_WEBHOOK secret. Signed-off-by: Frantisek Hrbata <[email protected]>
mahavirj
force-pushed
the
feature/cpe_check
branch
from
933305a
to
011ecea
Compare
Checklist
urlfield definedChange description
esp-idf-sbom allows to scan whole repository/directory for all possible manifest files(idf_component.yml, sbom.yml and its referenced manifests, .gitmodules) and check them for possible vulnerabilities based on the cpe variable in manifest.
This adds scheduled scan at every midnight and also ad hoc(dispatch workflow) allowing to scan on demand.